They are probably using POSTs to wp-login.php to send the requests. Did you just password protect wp-admin? It may also not be configured directly…
Also might be worthwhile to check the database table _users manually via PHPMyAdmin or some other MySQL client. Some malware will manipulate what is shown in wp-admin, so an admin level user could exist but not be shown in wp-admin interface.
Thread Starter
eehmke
(@eehmke)
Here is my .htaccess content:
# Auth protect wp-login.php
<Files wp-login.php>
AuthName "Passwortgeschützter Bereich"
AuthType Basic
AuthUserFile /var/www/wpsite/.htpasswd
Require valid-user
</Files>
# Deny access to important files - ab Apache 2.4
<FilesMatch "(\.htaccess|\.htpasswd|wp-config\.php)">
Require all denied
</FilesMatch>
The database table is clean.
Have you tried viewing your http access logs and correlate with the timestamps for the login warning alerts? It would help to show you more details about how your server is responding to the http request. I’m guessing you probably have already confirmed using your browser that it requests authentication when visiting /wp-admin or /wp-login.php so logs would be a good place to start IMO.
Thread Starter
eehmke
(@eehmke)
Thanks! Will check tomorrow.
Thread Starter
eehmke
(@eehmke)
It turns out the attack tried wp-login.php and xmlrpc.php. I put xmlrpc.php into my FilesMatch too, seems to work.
Same issue, did you solve it?
Another one with the same problem.
Every hour, aprox I have a block from admin user.
Also I change the admin URL and activate the Away mode but still have attemps also during the hours that are Away
Any idea?
-
This reply was modified 4 years, 5 months ago by
pivodit.
I’m having the same problem! Changed admin URL and activated Away Mode but too emany mail notifications of site lockouts.
-
This reply was modified 4 years, 5 months ago by
Shafar.
Thread Starter
eehmke
(@eehmke)
Since I modified my .htaccess like described above, my problem is solved.